October 15, 2009

taking phishing to the next level

Phishing has come a long way. It is now no longer characterised by its email lure to get you to click on a different website. The phishers have moved on from the basic MITM that cracked secure browsing ... and are now concentrating on takeover of the machine. MITB, and the email is one of their weaker hooks.

Defences have also moved on, too. In some places they relied on two-factor auth, and in others a series of barriers. One common barrier was to make transactions to the country easy, and outside hard, on the basis that all phishers come from another country.

Phishers responded by employing Mules, being people who are in the country, and are well-paid to just re-transmit the money. People, it turns out, can easily send the money abroad, but trojans or MITBs couldn't.

But a problem with Mules is that they are slow. They might take a day or two to get around to it, because they are busy people. And in that time, the victim often spotted the fraudulent transaction ... and complained to the Mule! At which point the latter often realised he had been duped, was not part of the new International trading world, but was instead an essential cog in an international conspiracy to launder money etc et al ad nauseum.

Now phishers have gone to the next step:

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan

This is the man in the middle, par exellence. Not only does Mallory steal the information and use it, he rewrites the evidence to hide the crime. Note, this was back in August. More claimed facts, ftr, and also and here:

The researchers also found statistics in the command tool showing that out of 90,000 visitors to the gang’s rogue and compromised websites, 6,400 were infected with the URLZone trojan. Most of the attacks Finjan observed affected people using Internet Explorer browsers, but Ben-Itzhak says other browsers are vulnerable too.

Which juxtaposes with a question that Stephen asked me a few days ago: how can we presume that the system is operating correctly? He was asking this hypothetical from the legal tradition, where it is common for banks to assert the presumption. In the above case, it is quite interesting, because from both points of view, the evidence is clear: correct operation.

The user sees the correct balances and transactions. The bank sees the correct authentication procedures. But we have a case here were neither side is correct, and the system is not operating correctly.

Why is this a problem? Because security commerce has it that a security system is secure. It has to be completely secure, otherwise it is impossible to sell. Nobody buys a partly-secure system, they want the fully-secured model. So what tends to happen is a form of society-wide cognitive dissonance where we sell the partly-secured as fully-secured. Hence, by the time the banks get around to being the defendents in some case against their "fully-secured" system, they are compelling in their belief that it is secure. The presumption that it operates correctly is part of that cognitive dissonance.

Which reminds us of a German case where the presumption that DES was secure was knocked out, because there were things like DeepCrack out there. The role of the courts in breaking this dissonance is important; I can't recall the case precisely, but here is another case from German courts, this time over the famous Sony rootkit:

According to Germany’s Heise, a district court has just ruled in a case where an individual claimed that the presence of the Sony rootkit caused him financial losses.

After purchasing an Anastacia CD, the plaintiff played it in his computer but his anti-virus software set off an alert saying the disc was infected with a rootkit. He went on to test the CD on three other computers. As a result, the plaintiff ended up losing valuable data.

Claiming for his losses, the plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was self-employed, he also claimed for loss of profits and in addition claimed 800 euros which he paid to a computer expert to repair his network after the infection. Added to this was 185 euros in legal costs making a total claim of around 1,500 euros.

The judge’s assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it. The court ordered the retailer of the CD to pay damages of 1,200 euros.

Which strangely echoes this case:

Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.

To join the "My SHC Community," users downloaded software that ended up grabbing some members' prescription information, emails, bank account data and purchases on other sites. Sears called the group that participated "small" and said the data captured by the program was at all times secure and was then destroyed.

The FTC filed a complaint against Sears, accusing the retailer of deceiving those who signed up for the service and downloaded the software.

"(Sears) failed to disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers' computers, including information exchanged between consumers and websites other than those owned, operated, or affiliated with respondent, information provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts, and headers of web-based email; track certain non-Internet related activities taking place on those computers; and transmit nearly all of the monitored information (excluding selected categories of filtered information) to respondent's remote computer servers," the FTC concluded.

Which all seems to lead to a rather heavy presumption of rightness in favour of the larger party. Sony was safe in installing rootkits, and only got slapped for the direct costs that this unexpected behaviour caused. Sears was safe for the same practice, except it got a tap on the wrist for not disclosing it fully.

Which leads to class action. The obvious asymmetry here is that the large parties (allegedly) did a lot of small damages to many parties. Yet, in each case, they do not get more than a light tap, for various reasons. So the message is clear: if there is profit, take on that risk, because the downside is small.

Which leads me to an old observation I made many times in the original phishing days: the issue of fundamental liability allocation will only be sorted out when class action suits redress the imbalance in power (to avoid adverse judgement).

This solution of course is only applicable in the USA where class-action is popular. And it probably doesn't apply to continental banking where the banks tend to take more care and absorb more of the liabilities directly (hence their losses are much lower). Which is bad news for UK, Australia, Canada, where the banking models tend to follow liability-dumping models, but don't have the ultimate backstop of the class-action suit.

Closing remark: all of these articles were spotted in Bruce Schneier's cryptogram, and all seemed to resonate. There is one hilarious thread about the DHS in USA deciding to "employ 1000 cyber-security experts." Frequent readers of this blog will see the error at multiple levels. But Bob Cringley took the claim at face value and did some research. He asked 6 people who he thought were experts, and this one was the closest:

“Define ‘expert,’ said another friend from behind Door Number Three, who comes from the security software business. “(An expert is) a person with a high degree of skill in or knowledge of a certain subject. Great, but the question is all about scope. I may be an expert cook – but can I run a kitchen? Same thing with security there are tons of experts – in specific areas. I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru. (even though my knowledge base was very broad). This is where we run into unintended actuated consequences. An expert will make a choice and take an action. The end result may not be what they had anticipated because of other factors beyond the realm of their expertise caused an unanticipated consequence.

Which is to say, the word expert simply doesn't work for us. The field is too big so you are either a generalist like myself (and make frequent detailed mistakes, but hopefully survive in the big picture) or you are a deep specialist who gets the detail correct, but ends up on the wrong mapboard.

But this guy also hit the nail on the head:

So this is the wrong approach entirely. It won’t work, the DHS probably knows it won’t work (if they don’t know that, well God help us all) but they see it as better than nothing. That doesn’t worry me so much, though. What really worries me is the point brought up by cybersecurity expert number six, who himself came in from the cold:

“Sure there are 1,000 (cybersecurity experts),” he said, ” but they are already employed… as hackers.”

And, looking at our "presumption of security" question in the big picture, we can understand why. Because of liability dumping, your country's banks are cooperating with the world's 1000 cybersecurity experts. Who's engaged in a criminal conspiracy now?

Posted by iang at October 15, 2009 09:28 AM | TrackBack

I had similar thoughts about account security.

"Dear Customer, your computer is probably compromised and several criminals probably have full access to your all your accounts. Neither me, nor my company are particularly concerned. It almost certainly doesn't matter, and will never affect you if we do our job properly."



Posted by: Thomas Barker at February 7, 2036 02:17 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.